Day 3: Dublin Airport Battles "From Scratch" Recovery as European Ransomware Crisis Deepens

Breached Company

22 Sep 2025 — 5 min read

September 22, 2025 - Monday Evening Update

Breaking: Dublin Enters Third Day of Chaos While Some Airports Show Resilience

Following our comprehensive after-weekend update, new developments reveal Dublin Airport has emerged as the crisis's most persistent victim, with officials confirming they're literally rebuilding servers "from scratch" with no clear timeline for resolution. The Irish capital's Terminal 2 remains in crisis mode on Monday evening, marking a third consecutive day of disruption that has left passengers stranded and airlines scrambling.

The Dublin Disaster: When Recovery Goes Wrong

Terminal 2: Ground Zero for Prolonged Crisis

Dublin Airport spokesman Graeme McQueen painted a grim picture Monday morning: "This malware has affected the servers in the terminal so we are having to rebuild the servers from scratch." This stark admission reveals why Dublin's recovery has lagged so far behind other affected airports.

The Dublin Timeline:

Friday Night: Initial ransomware strike hits Collins Aerospace MUSE systems
Saturday: Terminal 2 evacuated due to suspicious baggage (unrelated but compounding chaos)
Sunday: US IT experts flown in to assist recovery efforts
Monday: Still rebuilding servers with no end in sight

Unique Challenges at Dublin

Aer Lingus passengers facing 30-40 minute queues minimum
Terminal 2 exclusively affected while Terminal 1 operates normally
Complete server rebuild required rather than system restoration
Manual workarounds using iPads and laptops for check-in

The Geographic Divide: Winners and Losers

Hardest Hit (The Crisis Zones)

Brussels:

60 flights cancelled Monday (out of 550 scheduled)
Asked airlines to cancel 50% of Monday departures preemptively
Still awaiting secure MUSE software update
Our earlier reporting detailed how Brussels was using iPads for check-in

Berlin Brandenburg:

Systems still offline as of Monday afternoon
Hour-plus delays continue for departures
Manual processes causing ongoing bottlenecks

Dublin:

Terminal 2 in complete rebuild mode
No timeline for restoration
Third day of severe disruptions

The Resilient (Minimal Impact)

Paris (Roissy, Orly, Le Bourget):

Reported NO disruptions throughout crisis
Alternative systems prevented cascade failure

Frankfurt:

Relatively spared despite being major hub
Quick switch to backup systems

Amsterdam Schiphol:

Minor impacts only
Rapid recovery implementation

Partially Affected

London Heathrow:

"Vast majority" of flights operating normally by Monday
British Airways unaffected due to separate systems
Residual delays but improving

Cork Airport:

"Minor impact" reported
Potential entry point for attack (Collins data center located there)

Financial Fallout: Markets React

Monday Morning Trading

International Airlines Group (IAG): Down ~1%
EasyJet: Down ~1%
Wizz Air: Down ~1%
Ryanair: Down 1.69% (extending month-long slide)
Industry-wide concerns about Q4 earnings impact

Cost Projections

Brussels Airport alone: €22 million in rerouted cargo
Passenger compensation under EU261: Estimated €4.5 million
Total industry impact: Potentially exceeding €150 million

The Attack Vector: Cork Connection

New intelligence suggests the attack may have originated through Collins Aerospace's European data center in Cork, Ireland. According to technical analysis, the breach began at 22:45 GMT on September 19 with:

Phishing vectors disguised as RTX firmware updates
Exploitation of unpatched MUSE API gateway vulnerabilities (CVSS 9.8)
Lateral movement through federated authentication layers
Over 500,000 passenger itineraries encrypted by 02:00 GMT Saturday

Expert Warnings: This Is Just the Beginning

Cybersecurity Perspectives

Ciaran Martin (Former UK National Cyber Security Centre head):
"Disruptions can take days to recover. Sometimes when it's criminals they will demand a ransom and publicise it, but that hasn't happened yet."

Rafe Pilling (Sophos):
"Disruptive attacks are becoming more visible in Europe, but truly large-scale attacks that spill into the physical world remain the exception rather than the rule."

Charlotte Wilson (Check Point):
"These attacks often strike through the supply chain, exploiting third-party platforms used by multiple airlines and airports at once."

Kevin Beaumont (Former Microsoft threat analyst):
"These disruptions are dress rehearsals for larger attacks. Aviation's reliance on legacy systems makes it a prime target."

The Ransomware Details: What We Know

Confirmed by ENISA:

As we reported in our after-weekend update, ENISA has officially confirmed:

Ransomware strain identified (not publicly disclosed)
Law enforcement actively investigating
Third-party incident confirmed
No group has claimed responsibility

Speculation on Attribution:

Russian-linked groups (APT28/Fancy Bear) suspected given Ukraine tensions
Alternatively, criminal groups like LockBit seeking financial gain
Possible state-sponsored "dress rehearsal" for larger attacks
Iranian groups (APT33) also mentioned in intelligence circles

Passenger Horror Stories Continue

Dublin's Monday Morning Chaos

Families sleeping in terminals for third consecutive night
Business travelers missing critical meetings
Students unable to return to universities
Medical appointments missed due to cancellations

The Manual Process Nightmare

Handwritten boarding passes
Phone-based passenger lists
Paper baggage tags
No automated gate assignments

Lessons Deliberately Ignored: The CrowdStrike Warning

As detailed in our weekend analysis, just two months after the CrowdStrike BSOD incident forced similar manual operations globally, the aviation industry finds itself in an eerily similar crisis. The key difference? This time it's malicious, not accidental.

What Should Have Been Fixed Post-CrowdStrike:

Rapid rollback mechanisms for third-party systems
Adequate manual backup capacity
Offline operational capabilities
Diversified vendor dependencies

What Actually Happened:

Same vulnerabilities exploited
Same manual fallback failures
Same cascade effects
Same passenger chaos

Recovery Projections: When Will This End?

Best Case (Most Airports):

Tuesday: Normal operations resume
Wednesday: Backlog cleared
Thursday: Full schedule restoration

Worst Case (Dublin, Brussels):

Tuesday-Wednesday: Continued disruptions
Thursday-Friday: Gradual improvement
Weekend: Potential full recovery

Long-term Impact:

Trust in digital systems eroded
Regulatory scrutiny intensified
Insurance premiums likely to spike
Accelerated investment in resilience (finally?)

Immediate Passenger Guidance

If Flying This Week:

Avoid Terminal 2 at Dublin if possible
Check-in online mandatory - Screenshot boarding passes
Arrive 4 hours early for international flights
Pack medication/essentials in carry-on only
Consider alternative routes through unaffected hubs (Paris, Frankfurt)
Purchase flexible tickets - More disruptions possible

Airlines Most Affected:

Aer Lingus (Dublin Terminal 2)
Brussels Airlines (Brussels hub)
Lufthansa (Berlin connections)
Anyone using common-use check-in desks

The Bigger Picture: Aviation's Digital Achilles' Heel

This ransomware attack represents the second major aviation IT crisis in just two months, following July's CrowdStrike incident. Together, they reveal a pattern:

Over-centralization of critical systems
Inadequate offline capabilities for modern passenger volumes
Supply chain vulnerabilities actively exploited
Regulatory frameworks lagging behind threats
Cost-cutting prioritized over resilience

What Happens Next?

Immediate Actions:

ENISA coordinating Europe-wide response
FBI assisting due to RTX's US base
Airlines implementing workarounds
Passengers adapting travel plans

This Week:

Gradual system restoration (except Dublin)
Investigation intensifying
Potential ransom negotiations (undisclosed)
Regulatory emergency meetings

Long-term Implications:

NIS2 Directive enforcement accelerated
Mandatory offline backup requirements
Potential €100 million+ fines for Collins/RTX
Industry-wide security audit mandates
Insurance market disruption

The Unasked Question: Where's the Ransom Demand?

Unusually for a confirmed ransomware attack, no group has claimed responsibility and no ransom demand has been made public. This suggests either:

Negotiations happening privately
Attack was disruption-focused rather than financial
State-sponsored actors testing capabilities
Criminals waiting for maximum pressure before demands

Conclusion: A Crisis of Preparedness

As Dublin Airport enters its fourth day of disruption with servers being rebuilt from scratch, the European aviation ransomware crisis has evolved from an operational inconvenience into a full-scale indictment of the industry's digital preparedness.

The geographic divide between affected and resilient airports proves that preparation matters - Paris, Frankfurt, and Amsterdam's minimal impact shows that adequate backup systems and vendor diversification work. Meanwhile, Dublin's ongoing catastrophe demonstrates what happens when critical infrastructure lacks proper resilience planning.

Most damning is that this crisis comes just two months after CrowdStrike's accidental outage provided a clear warning. The industry's failure to implement lessons learned has transformed what should have been a manageable incident into a multi-day, multi-billion-euro disaster affecting millions of passengers.

As Graeme McQueen's admission about rebuilding Dublin's servers "from scratch" echoes across the industry, one thing becomes clear: the question isn't whether another attack will come, but whether aviation will finally be ready when it does.

This is a developing story. Updates continue as the situation evolves.

Reporting from Dublin, Brussels, Berlin, and London. Additional analysis from aviation security experts and industry insiders.

Related Coverage:

Last updated: Monday, September 22, 2025, 6:00 PM GMT